New Release: Tor Browser 9.0.7

Tor Browser 9.0.7 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Tor.

This release updates Tor to 0.4.2.7 and NoScript to 11.0.19.

In addition, this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript. While you are on "Safest" you may restore the previous behavior and allow Javascript by:

  • Open about:config
  • Search for: javascript.enabled
  • The "Value" column should show "false"
  • Either: right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.

In addition, HTTPS-Everywhere version 2020.3.16 supports a new mode of operation named EASE (Encrypt All Sites Eligible). Tor Browser users should not enable this feature. This new mode allows for adding per-site exceptions (whitelisting), however adding per-site exceptions may increase a user's uniqueness while using Tor Browser. When EASE mode is enabled, the whitelisting feature does not always work correctly, as well. We decided against downgrading the included https-everywhere version.

The full changelog since Tor Browser 9.0.6 is:

  • All Platforms
    • Bump NoScript to 11.0.19
    • Bump Https-Everywhere to 2020.3.16
    • Bug 33613: Disable Javascript on Safest security level
  • Windows + OS X + Linux
    • Bump Tor to 0.4.2.7

 

Update 2020-03-25: Added Https-Everywhere upgrade in ChangeLog and message about EASE mode.

Anonymous

March 27, 2020

Permalink

Having issues with connection stability. What is the best way to connect to Tor (cable provider, personal WiFi via hotspot on a smart phone, or others)? Bisq loads with Tor, any suggestions for establishing a stable connection in within Linux Ubuntu? Thank you.

tor will attempt to reconnect if the connection is broken. Connection stability is usually independent of tor and thus affects connections not through tor as well. If a Tor circuit is unused, it will expire after a maximum of 10 minutes, and a new circuit will be created. I don't know if an active connection held open by an application would be forced to close if its circuit is older than 10 minutes. I don't think it should.

Anonymous

March 28, 2020

Permalink

Tor Exit Failures

Average probability-weighted failure rate: 74.7%

Test ran at 2020-03-27 20:16:00 UTC

What's going on?

Anonymous

March 28, 2020

Permalink

Hello, the Tor Browser telling me now that the Tor is broken. I can see red page with "Something went wrong" message. I use Windows 7 32-bit. I updated yesterday on 9.0.7 version. I saw this red page before update but after the update it disappeared. But now, the day after my update, i see it again and there is no description of the problem.

How to resolve this, please? How to fix the Tor and make the Tor Browser functional again?

Does it say, "Tor is not working in this browser"? That would be a description of the problem. The tor daemon (or "expert bundle") is a network proxy daemon that is packaged in the Tor Browser Bundle. The error basically means the tor daemon is not running. It is supposed to start when you open the browser, before the window appears. However, as it is a separate program, it can crash, and it won't crash the browser program. If the browser cannot access the tor daemon, the browser displays an error.

Does https://check.torproject.org/ return "Congratulations"? If not, exit all windows of the browser, wait 10 seconds, and reopen the browser.

Read the daemon's connection log to see if there are any error messages:
https://support.torproject.org/tbb/tbb-21/
Don't paste the log online if you configured bridges.

Hello! I hope you are using Firewall? Make sure the only tor.exe is allowed to communicate via network.
Concerning your issue - it is old "bug" on Windows. - You have just to restart your browser.

Anonymous

March 28, 2020

Permalink

I use tor safest mode because it prevented javascript except on sites I explicitly set to trusted. This no longer works due to the complete disabling of javascript. Will it return to the previous functionality at some point?

Quoting the blog post, "We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability."

Anonymous

March 29, 2020

Permalink

After I upgraded my android to 10, both Orbot and Tor Browser stopped working. The upgrade to new android was pushed by Samsung and the phone is not rooted.
Orbot keeps saying application request when we haven't used client functionality lately.
Tor browser however gives the following error:
Warning: pluggable transport process terminated with status code 6.
Any ideas?

Anonymous

March 30, 2020

Permalink

Tor browser su android non apre nessuna pagina e si blocca subito dopo averlo avviato come posso risolvere?

Check if your bridges are down. Paste a bridge fingerprint in Relay Search (and ONLY in Relay Search):
https://metrics.torproject.org/rs.html
https://2019.www.torproject.org/docs/bridges.html.en#Understanding

Offline, fingerprints are saved in your torrc file. Don't edit it.
https://support.torproject.org/tbb/tbb-editing-torrc/

If your bridges are down, disable them and connect through Guard relays. Or if you absolutely need bridges, you can request another set:
https://support.torproject.org/censorship/censorship-4/

If they're up but you can't connect, then the issue may be temporary, or there may be a problem on your specific network.

Anonymous

April 01, 2020

Permalink

According to an app I am using (checkey, guardian project), the SHA-256 signature of Tor Browser for Android is 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8
However the SHA-256 signature you have uploaded is different.
Is the apk fake?
I downloaded the apk from torproject.org on 2 devices and the signature is the same.

If someone knows the answer I would be glad for helping me.

I think 20061f045e737c67375c17794cfedb436a03cec6bacb7cb9f96642205ca2cec8 is the fingerprint of the certificate signing the apk, not the hash of the file.

Anonymous

April 01, 2020

Permalink

Under the section USING PLUGGABLE TRANSPORTS
I still guess you should open the menu at the top right, for rather Customize instead.

Perhaps still a bit more left to do, before any finished product here, because here also something missing when only installing the Tor browser.

This person is talking about instructions in the Tor Browser Manual here:
https://tb-manual.torproject.org/circumvention/

It does say to open the menu at the top right. The second paragraph says, "click on 'Preferences' in the hamburger menu." The "hamburger" menu is the browser's main menu whose icon is a stack of 3 horizontal lines. "Customize" is an unrelated tab where you can edit your toolbar. There is nothing in "Customize" that will help.

You can change the language of the purple website at the top of the page.

Anonymous

April 02, 2020

Permalink

I have a question or two. I use TOR and Firefox. I noticed that somehow they are connected. What is the connection for TOR and Firefox. Is there going to be a takeover of one or the other sometime in the future. Also I noticed when I bring up TOR it does not go full screen. Is it ok to blow it up full screen or will that pose some sort of security risk. Thank you so much.

Tor Browser is based on Firefox, with additional patches and customization. We are collaborating with Mozilla to integrate our changes into Firefox as much as possible (sometimes behind a pref). But the two organizations are independent.

You can maximize the browser window. The window size is a fingerprinting vector, but the letterboxing feature mitigates that:
https://support.torproject.org/tbb/maximized-torbrowser-window/

Anonymous

April 02, 2020

Permalink

I used to love this browser but it is still not working for me. I have the old windows 7.... could this be the issue?

Anonymous

April 04, 2020

Permalink

There were two critical zero day vulnerabilities discovered in Firefox yesterday. These zero day vulnerabilities have apparently been observed in the wild. They both involve use-after-free vulnerabilities. They have been patched in Firefox and Firefox ESR. Here's a link to the advisory:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/

Presumably, these vulnerabilities affect Tor as well as it is based on Firefox. As it is now a day old and no updates or comment from Tor. These are both CRITICAL vulnerabilities. When can we expect them to be patched in Tor as well as TAILS?